Ticket History #9198: Use X509_check_host() to verify KKDCP server cert

# Wed Mar 04 02:09:38 2026 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 737B

Use X509_check_host() to verify KKDCP server cert

In the k5tls module, rely on X509_check_host() and
X509_check_ip_asc(), which were added in OpenSSL 1.0.2, instead of
doing our own verification.

There is one notable difference in behavior: X509_check_host() admits
wildcards with a prefix or suffix (but not both) within the label,
like "kdc*.mydomain.com". The old code only allows a wildcard to
match a complete label.

https://github.com/krb5/krb5/commit/f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Author: Greg Hudson <ghudson@mit.edu>
Commit: f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Branch: master
src/plugins/tls/k5tls/openssl.c | 211 ++--------------------------------------
1 file changed, 6 insertions(+), 205 deletions(-)

# Wed Mar 04 02:09:38 2026 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Wed Mar 04 02:09:38 2026 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added